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INTRODUCTION 

Today’s production and manufacturing companies are very 
much dependent on their local networks. One of the advan- 
tages of the local networks is the sharing of common facili- 
ties. Shared devices such as servers and file storage systems 
can be accessed by all employees and managers. They pro- 
vide cost-effective solutions without the need for investing 
on additional hardware and software and also assist in pro- 
cessing control, production scheduling, and data collection as 
well as making managerial decisions. 

Many companies maintain private networks, which are 
not accessible by the public. But, given that a majority of 
networks are connected to the Internet, the private networks 
must be separated from the public networks via firewalls and 
other means to control the incoming and outgoing traffic. 

In large networks, traditional leased lines were often 
used to interconnect remote branches or remote sites to the 
local networks. This is where the carrier would provide a 
private connection to the remote sites by means of a leased 
line. However, nowadays, there is an alternative transport 
medium available to everyone including all organizations, 
the Internet. Although easily accessible, one shortfall of the 
Internet is that it is not a secure environment for transmitting 
sensitive data. Then the question becomes how is the data 
sent over the Internet and which Internet service providers 
( ISP) are used for this purpose? 

From a security perspective, the Internet offers a sea of 
opportunity for retrieving and monitoring information in an 
unauthorized way. Therefore, using the public network as a 
medium for interconnecting private networks seems not so 
advisable unless necessary steps are taken to secure private 
information. This is where virtual private networks (VPNs) 
come into the picture by providing secure interconnections 
over an untrusted medium such as the Internet. 

For many national and international organizations dis- 
persed geographically in their processing and manufacturing 
operations, a VPN provides the means of extending a local 
area network (LAN) over a public medium [1-4]. It provides 
a cost-effective way of establishing a LAN-to-LAN connec- 
tion between sites. This makes the remote site appear to be 
within the same local network. Therefore, common facili- 
ties can be shared by all geographically dispersed sites. The 
availability of services is dependent on the security policies 


and relevant access configurations of the network and appli- 
cation devices in the server farms. 

VPN finds applications in manufacturing industries 
[5-9], process control [3,10,11], remote control [12-16], 
power system [17], and many others. In some cases, com- 
panies interconnect two or more remote sites and where can 
extend to third party companies, clients, and suppliers [18]. 
The use of VPNs in industrial operations is growing rapidly. 
In the following sections of this chapter, the technical aspects 
and applications of VPNs will be discussed from the network 
management point of view. 

CHARACTERISTICS OF VPNs 

Given the ever-expanding size of companies in the global mar- 
kets, an increasing number of workforce requires to access 
remotely the diverse range of resources. For effective opera- 
tions of VPNs, an efficient, secure, and robust remote con- 
nectivity is needed. With the availability of Internet and due 
to the global nature of modern business practices, the option 
of using traditional leased line can no longer be justifiable. 

From an industrial perspective, the benefit of expanding 
an organization’s platform by using existing resources at the 
head office or any data center over the Internet in a secure 
and cost-effective manner is inviting. In a process plant, for 
example, the main monitoring and control center may be 
located at one site having many sensors and controllers all 
connected to the system via supervisory control and data 
acquisition (SCADA) generating continuous information 
about the operations of the plant. All these information can 
be accessed from any point around the world. The possibil- 
ity of expanding the local system through the use of a VPN 
clearly adds efficiency to the operations. Hence a manufac- 
turing plant could have an array of sensors and controllers in 
remote locations that can be connected to the existing core of 
operations in a secure and effective manner. 

Security of information is a serious concern for compa- 
nies as well as to people who rely on the Internet for their day- 
to-day activities. With this increased usage, the information 
viewed or downloaded without authority is completely trans- 
parent to the end users. Many times, there will be no indica- 
tion or evidence that the data have been affected or tampered 
with. As transparent these attacks might be, the option to 
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secure user traffic can be implemented with the same degree 
of simplicity and transparency and VPN addresses many of 
these issues. 

More information on the Internet security can be found in 
Chapters 15, 29, 30 and 31 of this book. 

TYPES OF VPNs 

A VPN can be a remote-access VPN or site-to-site VPN, 
both of which will be explained next. 

Remote-Access VPN 

The connection to the Internet determines whether the 
remote user is given a dynamically assigned or static public 
IP address. Generally remote users would have a dynami- 
cally assigned public IP address. This is more suitable for a 
remote-access VPN whereas site-to-site VPNs generally have 
the remote site connection with a static public IP address. 

The device used to connect to the Internet has a role in 
determining the best type of remote-access VPN to be used. 
The remote device could be a personal laptop, handheld 
device, or even a device with a different operating system. 
This, in conjunction with the configuration of the main site, 
will have a role in determining whether a client-based or 
secure sockets layer (SSL)-based VPN is used. 

Client-Based VPNs 

Client-based VPNs require a specific software client to be 
installed on the remote user’s device. The client software is 
vendor-specific. 

In a typical client-based VPN setup, the remote user has 
proprietary VPN client software installed. The remote user 
is connected to the Internet and is dynamically assigned a 
public IP address by the ISP. The head office on the other 
hand has a static public IP address as well as a VPN key. 
The VPN client software has the option to set parameters 
for the site’s VPN connection such as IP address, VPN 
security key, and other parameters. Once connected to 
the VPN server, security keys are exchanged and a secure 
encryption tunnel is created between the server and the cli- 
ent. In most cases, the server will then prompt the remote 
user for additional authentication, for example, user name 
and password. 

There are a vast array of vendors for such client-based 
VPNs, some of which are Cisco, Checkpoint, Nortel, and 
Microsoft. The very nature of the client software being 
vendor-specific limits the flexibility in that the remote 
device must have the VPN client software and also the pre- 
configuration of static IP address and security key before 
a VPN connection can be established. The versatility of 
being able to use any Internet-connected device regardless 
of the operating system or ownership is not possible as in 
the case of client-less VPNs or SSL-based VPNs. 


SSL-Based VPNs 

An alternative to client-based VPNs is the SSL-based VPNs 
or client-less VPNs. Technically, a client software is still 
used, but without the limitation of a vendor-specific require- 
ment. More so the software common to all users and devices 
is the Internet browser, which can be the Internet Explorer, 
Safari, Mozilla, Opera, etc. The remote user machine could 
be running on Microsoft Windows, Linux and/or Mac without 
requiring additional configuration. This eliminates the disad- 
vantage of client-based VPNs where it is machine specific, 
here it is limited to what device runs an Internet browser and 
given the vast array of devices available provides the level 
of flexibility and versatility needed for a remote user. From 
the perspective of the remote users, establishing and using 
an SSL-based VPN is completely transparent. The Internet 
browser manages the secure and encrypted communications 
between the client and the server. 

SECURE SOCKET LAYER 

When web pages first used hypertext transfer protocol 
(HTTP), plain text was communicated without any protec- 
tion. The primary drive for developing secure data commu- 
nication over the web interface was when businesses started 
transmitting confidential data via the Internet. Initially there 
were a number of proposed protocols, with some being pro- 
prietary; however, SSL became the standard. 

SSL version 1 was first utilized by Mosaic browsers in 
1994. SSL version 2 was commercially available soon after 
by a company founded by the inventors of Mosaic called 
Netscape Communications after the release of the Navigator 
web browser. Microsoft introduced its own proprietary 
encryption method in 1995 called private communications 
technology (PCT). PCT was proven to be superior to SSLv2, 
however soon after Netscape released SSL version 3 in 1996, 
it was adopted by International Engineering Task Force 
(IETF). In 1999, it became the international standard for 
secure web communications and was renamed as transport 
layer security (TLS). 

Identifying SSL-Based Websites 

Whether an SSL-secured communications has been accessed 
by a web browser is evident in the address of the web page, 
that is, the uniform resource locator (URL). More specifi- 
cally, the web address that starts with “https” rather than 
“http” would indicate an SSL-based website. In this case, 
the hypertext transfer protocol secure (HTTPS) uses a differ- 
ent TCP port than traditional HTTP port that is port 443 as 
opposed to port 80, respectively. 

An additional indication that the website is SSL based 
is that the Internet browser has an icon indicating that the 
contents are protected and you have entered into secure com- 
munications with the web server. Figure 32.1 illustrated a 
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FIG. 32.1 

A typical SSL web page. 


Microsoft Internet Explorer SSL-based website with three 
clear indicators. Firstly the URL prefix is https, secondly the 
padlock icon appears, and thirdly the indication on the status 
bar shows “Protected mode: On.” 

SSL VPN Tunnels 

In much the same sense of a site-to-site VPN tunnel, an SSL 
VPN tunnel is where protected data are sent and received 
through an untrusted medium such as the Internet in a secure 
“tunnel.” Communication occurs at the application level. 
This allows for the SSL VPN to be implemented from any 
computer or any mobile device. This is the major advantage 
of SSL VPNs over site-to-site VPNs. It is the operation in 
the application layer that allows the bypass of any technical 
limitations of many devices. 

SSL Reverse Proxy 

All the traffic from the Internet with a destination address 
of a specific web server is routed through a proxy server. 
This proxy server may deal with the request itself or pass the 
request entirely or partially to the web server. This allows for 
web filtering and load sharing. Specific to a reverse proxy 
is that it sends inbound network traffic to a set of servers 
whereas a forward proxy would alternatively provide web fil- 
tering and or load sharing for outbound traffic. The benefit 
of using an SSL reverse proxy is that it provides the abil- 
ity to allow both web and non-web applications to utilize 
the SSL tunnel for communications. This provides remote 
access to other services such as file sharing, printers, and 
other resources by transforming Intranet applications to be 
accessible via the Internet. 

Site-to-Site VPNs 

A site-to-site VPN results in a LAN-to-LAN connection 
between sites where both sites are part of a common Intranet. 
The remote site has available to it all the services common 
to that Intranet. Which services are available is dependent on 


the company’s security policies and relevant configurations 
on respective devices. 

If the remote site is an additional branch or remote office 
the VPN connection is referred to an intranet-based VPN. 
Alternatively if the remote site is a supplier or any other 
third-part company, the VPN connection is referred to an 
extranet-based VPN. 


VPN TUNNELS AND PROTOCOLS 

The concept of a VPN is typically based on tunnels where the 
source data is encapsulated into a new packet and transmit- 
ted in accordance with the new packet protocol. In a site-to- 
site VPN, hosts send and receive IP traffic to a remote site 
without being aware of the encrypting and decrypting tak- 
ing place. The traffic destination is a normal LAN IP and is 
routed through the VPN tunnel. The VPN tunnel is defined 
by a set of local IP addresses at the tunnel end points. 

Consider the illustration given in Figure 32.2. The local 
host A is sending data to the remote host B. The destination 
IP is the private IP address of host B belonging to a differ- 
ent subnet to that of the local network. The IPsec VPN tun- 
nel is used to direct or route traffic to and from the hosts in 
a secure and protected manner. The local router contains a 
routing table that maps the destination subnets to outgoing 
interfaces or next-hop IP devices. In this case, the next-hop 
address will be the VPN tunnel end point IP address. The 
packet host A sends to host B will have the destination IP 
address of Host B, 192.168.0.10. The routing table of router A 
maps the 192.168.0.0/24 subnet to the remote tunnel endpoint 
IP address 10.10.10.2. The packet with the source IP address 
of 172.16.1.10 is encrypted and sent through the VPN tunnel. 
The peer router receives this packet, removes the headers, 
decrypts the payload, and routes the packet to host B within 
the LAN. Hence the achievement of a LAN-to-LAN network 
where devices on the local LAN are accessible via the remote 
private network as if they were on the same Intranet. 

IPsec 

The Internet protocol security (IPsec) protocol is used to 
protect and form the basis of encryption of data through a 
VPN. Note that encryption of the data is an optional feature 
of IPsec. 

The nature of a VPN is to protect data as it transverses in 
the untrusted medium such as the Internet. The Internet itself 
comprises an infinite array of next-hop devices of which not 
any one carrier has control over. Implementing data protec- 
tion at the Layer 2 data level would allow the most secure 
means of communication; however, it is not feasible due 
to inaccessible control of the next-hop devices. However, 
the IP-based protocol operating at Layer 3 transport layer 
is where IPsec is implemented to provide data protection. 
This being the reason that IPsec only protects data from the 
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FIG. 32.2 

Typical site-to-site VPN tunnel scenario. 


Layer 3 and above. Please note the layer is in references to 
OSI layer model. More information on ISO/OSI model can 
be found in Chapters 29 and 31. 

The advantages of IPsec protocol correspond to the fea- 
tures that make up the protocol. 

IPsec Features 

IPsec protocol comprises four features: 

1. Data confidentiality (optional) 

2. Data integrity 

3. Peer authentication 

4. Antireplay 

Data Confidentiality Where data confidentiality ensures the 
data between VPN end points is only for the intended end 
point. This is the feature responsible for the encryption of 
the packet and is optional for IPsec. Data confidentiality is 
implemented by the user by using an encryption algorithm 
and distributed encryption keys. This encrypted data can- 
not easily be understood by anyone other than the intended 
recipient. 

Data Integrity The objective of data integrity is to ensure 
that the data has not been altered or modified in any way 
as it transverses through the VPN. Hash message authenti- 
cation codes (HMAC) sign packets to ensure that the data 
originally sent are exactly the same as the received data. 
HMAC performs a mathematical calculation on the data 
using a hash function (algorithm) in combination with a key. 
The hash function is also referred as “one-way function” 
given that it is unfeasible to determine the message from 
the hash function but easily determined from the message 
itself. 


The message is verified by each peer performing a cryp- 
tographic checksum on the hash provided. In reference to 
the scenario given in Figure 32.2, the sending Host A uses a 
hash function and a shared key to compute the cryptographic 
checksum for the data within the packet. The peer Host B 
upon receiving the packet performs an identical hash func- 
tion and shared key and compares it to the original packet 
sent from Host A. A differing hash value indicates that the 
message has changed in transit and the packet is discarded. 

There are two hash functions with differing encryption 
and with different computational requirements. The industry 
standard, Message Digest 5 (MD5), provides a total of 128- 
bit hash. Alternatively, the secure hash algorithm 1 (SHAl) 
provides 160 bit hash giving much stronger security than 
MD5 and in turn more resource demanding. 

Peer Authentication Peer authentication or data origin 
authentication certifies the source of the IPsec VPN and is 
performed by both VPN end points. The source of the data 
from a VPN must be validated to ensure the data is from a 
trusted source. 

Antireplay In the event of the VPN traffic being intercepted 
and simply replayed at a differing time to mimic the origi- 
nal transmission, IPsec uses the optional feature antireplay 
to guard against duplicate packets. Each packet is given a 
sequence number and the receiver uses a sliding window to 
detect late packets that are considered to be a duplicate packet 
and are discarded. Antireplay feature of IPsec is entirely 
optional and not a requirement for IPsec protocol to take place. 

IPsec Protocols 

IPsec protocols are standards-based to support the intercon- 
nection of various vendor network devices. This provides 
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flexibility in integration with existing systems allowing for 
versatile cost-effective security solutions. 

The IPsec protocol provides the exchange of security 
keys, authentication, and the encapsulating of the original 
data. The three primary IPsec protocols are as follows: 

1. Internet key exchange (IKE) 

2. Authentication header (AH) 

3. Encapsulating security payload (ESP) 

INTERNET KEY EXCHANGE 

The first step in the creation of an IPsec VPN is the IKE. The 
primary result of IKE is an established security association 
(SA) between VPN end points. The SA is a contract of IPsec 
parameters agreed upon by the end points and it provides the 
means for the exchange and negotiation of security param- 
eters and authentication keys. IKE protocol has a series of 
phases defining the features of the SA created. 

IKE protocols comprise two mandatory phases (IKE 
phase 1 and IKE phase 2) and one optional phase ( IKE phase 
1.5). Throughout these phases, IKE calls upon IKE protocols: 
Internet security association and key management protocol 
(ISAKMP) and Oakley. ISAKMP is used to establish, negoti- 
ate, modify, and delete SAs. This includes peer authentication 
and, however, does not include any form of key exchange. 

Oakley protocol uses the Diffie-Hellman (DH) algorithm 
to manage the exchange of keys over the SA. The DH algo- 
rithm is a cryptographic protocol allowing the secret key to 
be securely exchanged over an unsecure medium. 

IKE Phase 1 

A mandatory component of IKE is used to establish a bidi- 
rectional SA between IPsec VPN peers. It can optionally be 
used to perform peer authentication to validate the identity of 
the IPsec VPN peer. 

IKE phase can be implemented in modes, such as main 
mode, aggressive mode, and quick mode. 

Mai?i mode is made up of three stages: IPsec parameters and 
security policy, DH public key exchange, and ISAKMP ses- 
sion authentication. 

Aggressive mode is identical to the main mode in that the 
same three stages are undertaken. However, the manner in 
which the steps are taken differs. With aggressive mode, the 
IPsec end point device, which initiates the session, sends DH 
public keys, IPsec parameters, and security policies. The 
receiving end point authenticates the received packet and 
sends a parameter proposal, key material, and identification 
back. The initiator then authenticates the packet. 

Quick mode is always used and implemented after IKE phase 1 
such that an SA is always negotiated before negotiation of quick 
mode takes place. Ensuring that an SA is negotiated before 


hand in turn ensures that the quick mode negotiations are pro- 
tected. Quick mode manages the key exchange for this SA. 

IKE Phase 1.5 

Unlike the other IKE phases, IKE phase 1.5 is purely 
optional. This phase is used to provide extended authentica- 
tion after IKE phase 1 has been completed. After IKE phase 
1, the IPsec VPN end points are authenticated. IKE phase 1.5 
provides additional authentication for the users of the IPsec 
VPN end points. This refers to end hosts within the remote 
and local sites. In this case, the actual user is prompted to 
authenticate before an IPsec connection is established. 

IKE Phase 2 

After IKE phase, a bidirectional SA between IPsec VPN end 
points is established. This is used for transferring encryp- 
tion keys in a secure manner after which IKE phase 2 is 
implemented to create unidirectional SAs. For each direc- 
tion, a different key is needed and is established using IKE 
quick mode. 

AUTHENTICATION HEADER 

AH is one of the three primary IPsec protocols and pro- 
vides data integrity, peer authentication, and antireplay. 
Authentication and integrity check is performed by HMAC. 
IPsec VPN has the option to use AH or ESP or both for 
authentication and data integrity. 

AH is implemented by means of an addition of headers 
to the original IP packet and ensures that the data have not 
been altered but, however, do not provide any means of data 
security. 

ENCAPSULATING SECURITY PAYLOAD 

Similar to AH, ESP is the foundation for data confidentiality, 
data integrity, data origin authentication, and optional antire- 
play features of IPsec. It is also the only IPsec protocol that 
provides data encryption. It is also achieved by the addition 
of headers to original IP packet. There are three options for 
IPsec ESP encryption: (1) data encryption standard (DES), 
(2) triple data encryption standard (3DES), and (3) advanced 
encryption standard (AES). 

ENCRYPTION ALGORITHMS 

The best means of protecting data from being interpreted is 
by encryption. Encryption is based on a key used in the math- 
ematical algorithm, making it decryptable by only those with 
the corresponding key. The result is encrypted data or cipher 
text. 
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The strength of the encryption is dependent on three 
factors: 

• Strength of the encryption algorithm 

• Strength of the key(s) 

• Secrecy of the key(s) 

Decrypting a 128 bit key is not entirely unfeasible if the 
algorithm and key are not adequately secured. Generally 
the easiest and foremost security risk is the encryption key 
being stolen. 

Symmetric Encryption 

A symmetric encryption algorithm also referred to as the 
secret key cryptography is where the key is used both to 
encrypt and decrypt data. This has been the most widely used 
encryption type and it was the only encryption type available 
throughout the mid-1970s. A symmetric encryption process 
is illustrated in Figure 32.3. 

The secret key is known by both parties. Given that a 
VPN usually transverses an untrusted medium such as the 
Internet, there must be a means of sending the secret key in a 
secure manner. In the case of an IPsec VPN, the SA provides 
secret key to be transferred. The most common symmetric 
encryption algorithms are: (1) DES, (2) 3DES, and (3) AES. 

Asymmetric (Public Key) Encryption 

Asymmetric encryption differs from symmetric encryp- 
tion by providing two keys to complete the encryption and 
decryption process. A public key is used to encrypt data and 


a private key is used to decrypt data. The most sensitive of 
the two keys in terms of security risk is the private key, in 
the event that an unintended user having access to the pri- 
vate key allows for the encrypted data to be decrypted after 
interception. Therefore, of the two keys, the private key must 
be protected. Alternatively, the public key proves to be of 
no use to anyone wishing to decode the encrypted data and 
can be freely distributed without threat to the protected data. 
In short, the private key is to be kept private and secret. An 
asymmetric encryption process is illustrated in Figure 32.4. 

Only one computer generates the private and public key 
pair used for the asymmetric encryption and decryption. As 
an example, host B generates a public and private key, of 
which the private key is sent to host A and is used by host A 
to encrypt the data. The decryption is performed by host B’s 
private key and is kept private only to host B. 

In regard to digital signatures, the private key is used to 
sign the hash value of a message and the public key used to 
decrypt and authenticate the signature. 

Some common asymmetric encryption algorithms are: 
(1) Rivest, Shamir, and Adleman (RSA) and (2) Diffie- 
Hellman (DH). 

The RSA algorithm uses 1024 bits and is considered by most 
to be impossible to decrypt. Encryption at 1024 bits is highly 
processor-intensive and is therefore significantly resource 
demanding. Since it requires high processor intensity, it is not 
suitable for continuous bulk encryption type applications. 

The strength of asymmetric encryption can be used to 
compensate for the weakness of symmetric encryption, in case 
when asymmetric encryption is used to create a secure channel 
for the transmission of the shared key, which will be used for the 
symmetric encryption of the continuous bulk communications. 
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This forms the basis of IPsec VPNs where IKE phase 1 estab- 
lishes a secure communications channel for key exchange and 
once the security is established, a symmetric encryption algo- 
rithm is used to protect the continuous flow of data. 

MANAGING VPNs 

VPNs need to be managed properly. A manager’s responsi- 
bility is to ensure the connectivity of a company to the envi- 
ronment is maintained and secure. This allows the company 
to communicate with internal processes, clients, business 
partners, and branch offices. Communications may include 
e-mails, voice, video, personal contacts, and process data. 

Demands from the managed VPNs are based on the size 
of a company, number of stations, and volume of information 
flow. The network infrastructure should be expandable since 
a small company can grow in a short-term period to a larger 
company employing thousands of people. This fact needs to 
be addressed when deciding on how deep the remote com- 
puterized process should be and what is the expected future 
throughput. In the beginning, the network may be managed 
by a small IT group. This small team primarily will deal with 
the different providers for the connectivity and PCs with the 
OS together with customers’ application needs. As the orga- 
nization grows bigger new demands from the network and 
the supporting IT team will equally grow. 

Small- and Medium-Size Companies 

Medium-size companies set up their own IT departments but 
outsourcing is not uncommon. When outsourced, executive 
management often struggles as they wish to keep the control 
of the connectivity, application, and mobility within the cor- 
porate borders. The technical demand for data and voice net- 
works can build up quickly. The future of the IT department 
will depend on how fast the issue can be resolved. The idea 
of a service level agreement (SLA) became very important in 
this context. 

Global Companies and Complex Communication Networks 

Today’s global organizations act on global markets and they 
need versatile VPNs. As their operations are spread outside 
the core country, there is a need to get organized country by 
country and/or region by region. Unfortunately, neither the 
countries nor the regions may have the same business prac- 
tices and equal levels of development. Some examples are as 
follows: different power interfaces, cultural differences, and 
diverse workplace practices. Let us say a router fails on a 
Friday. As this may be a nonworking day in some countries, 
it may be hard to get it in service again. A global organiza- 
tion needs to take into account all these considerations while 
setting up their VPNs, say, to control a process or refrigera- 
tion plant. Complex products need complex process hence 
versatile VPNs. 


Auto-Managed Networks 

In large companies, roles and responsibilities are generally 
well defined. The IT departments in those companies are 
not only technical teams but they also have much more con- 
trol of technical resources too. IT department may decide to 
automate some of the operations in the VPN environment. 
An example is the use of FTP servers, which has software 
that automatically sends an e-mail to the administrator once 
the hard disk reaches to 80% capacity. Another example is 
the management software that controls equipment (EQ) 
centrally where the company’s enterprise resource planning 
(ERP) software is located. 

Service Delivery 

A secure and robust service delivery (SD) is mandatory for 
many organizations. Global organizations set up and use 
complex communication systems. As an example, let us con- 
sider that a company has a data center located in Africa, with 
a hub site for the CEO, a car plant located in Asia, and devel- 
opment center set up in Europe. Based on this structure, it 
is possible to create a multiprotocol label switching (MPLS) 
backbone and provide a VPN connection for a secure reli- 
able and customizable access. Many organizations set up pri- 
orities on their VPN lines. This can be done once the data 
networks consultant (DNC) defines the traffic classifications 
prior CCN deployment. This happens via class of service 
(Cos) ranked from Cos 1 to Cos n. Cos 1 represents the most 
important traffic, for example, voice compared to low-level 
Cos such as FTP, Telnet, or WEB. 


CONCLUSIONS AND COMMENTS 

Today’s hierarchical network topology involves the use or 
centralized services. This minimizes hardware requirements 
and associated costs and provides easily managed services. 
Today’s companies span across larger geographical markets 
and in many cases they employ workforce who are reliant on 
the centralized network services. VPNs provide the means 
interconnecting local network and services to remote users or 
branches. VPNs provide a secure and protected channel for 
data exchange through the Internet. Therefore, VPNs have 
provided the basis for the globalization of companies without 
the need for costly alternatives. 
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